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SMARTCARD USER INTERFACE FOR TRUSTED COMPUTING 

PLATFORM 

Fi^jd of the Invention 

5 The present invention relates to the field of computers, and particularly, 

although not exclusively, to a computing entity which can be placed into a trusted 
state, and a method of operating the computing entity such that a user of the 
entity is confident that the computing entity is in the trusted state. 

10 Backyroup d «o the Invention 

Conventional prior art mass maricet computing platforms Include the well- 
known personal computer (PC) and competing products such as the Apple 
Macintosh™, and a proliferation of known palm-top and laptop personal 
computers. Generally, markets for such machines fall into two categories, these 

15 being domestic or consumer, and corporate. A general requirement for a 
computing platfdrm for domestic or consumer use is a relatively high processing 
power, Internet access features, and multi-media features for handling computer 
games. For this type of computing platfonm, the Microsoft Windows® '95 and '98 
operating system products and Intel processors dominate the market. 

20 

On the other hand, for business use in many applications, a server platform 
provides centralized data storage, and application functionality for a plurality of 
client stations. For business use, key criteria are reliability, networking features, 
and security features. For such platforms, the Microsoft Windows NT 4.0"™ 
25 operating system Is common, as well as the Unix™ operating system. 

With the increase in commercial activity transacted over the Internet, known 
as "e-commerce", there has been much interest in the prior art in enabling data 
transactions between computing platforms over the Internet of both domestic and 
3 0 commercial types. A fundamental issue in acceptance of such systems is the 

P51B.spec 
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one of trust between interacting connputer platforms for the making of such 
transactions. 

There have been several prior art schemes which are aimed at increasing 
5 the security and trustworthiness of computer platforms. Predominantly, these rely 
upon adding in security features at the application level, that is to say the security 
features are not inherently embedded in the kernel of operating systems, and are 
not built in to the fundamental hardware components of the computing platform. 
Portable computer devices have already appeared on the market which include a 

10 smartcard, which contains data specific to a user, which is input into a smartcard 
reader on the computer. Presently, such smartcards are at the level of being 
add-on extras to conventional personal computers, and in some cases are 
Integrated into a casing of a known computer Although these prior art schemes 
go some way to improving the security of computer platforms, the levels of 

15 security and trustworthiness gained by prior art schemes may be considered 
insufficient to enable widespread application of automated transactions between 
computer platforms. For businesses to expose significant value transactions to 
electronic commerce on a widespread scale, they require confidence in the 
trustworthiness of the underiying technology. 



Prior art computing platforms have several problems which stand in the way 
of increasing their inherent security: 

• The operating status of a computer platform and the status of the data 
25 within the platform is dynamic and difficult to predict. It is difRcult to determine 
whether a computer platform is operating correctly because the state of the 
computer platform and data on the platform is constantly changing and the 
computer piatfomri itself may be dynamically changing. 
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From a security point of view, commercial computer platforms, in 
particular client platforms, are often deployed In environments which are 
vulnerable to unauthorized modification. The main areas of vulnerability include 
modification by software loaded by a user, or via a networic connection. 
Particularly, but not exclusively, conventional computer platforms may be 
vulnerable to attack by virus programs, with varying degrees of hostility. 

Computer platforms may be upgraded or their capabilities may be 
extended or restricted by physical modification. I.e. addition or deletion of 
components such as hard disk drives, peripheral drivers and the like- 
It is known to provide security features for computer systems, which are 
embedded in operating software. These security features are primarily aimed at 
providing division of information within a community of users of a local system. In 
the known Microsoft Windows NT™ 4.0 operating system, there exists a 
monitoring facility called a "system log event viewer in which a log of events 
occurring within the platfonn is recorded into an event log data file which can be 
inspected by a system administrator using the windows NT operating system 
software. This facility goes some way to enabling a system administrator to 
security monitor pre-selected events. The event logging function in the Windows 
NT™ 4.0 operating system provides system monitoring. 



In terms of overall security of a computer platform, a purely software based 
system is vulnerable to attack, for example by viruses of which there are 
thousands of different varieties. Several proprietary virus finding and con-ecting 
applications are known, for example the Dr Solomons ^ vims toolkit program or 
Norton ™ anti-vinjs kit. The Microsoft Windows NT™ 4.0 software includes a 
vims guard software, which is preset to look for known vimses. However, vims 
strains are developing continuously, and the vims guard software will not give 
3 0 reliable protection against newer unknown vimses. New strains of vims are being 
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developed and released into the computing and internet environnnent on an 
ongoing basis. 

Prior art nnonrtoring systems for computer entities focus on network 
5 monitoring functions, where an administrator uses network management software 
to monitor performance of a plurality of networked computers. In these known 
systems, trust in the system does not reside at the level of individual trust of each 
hardware unrt of each computer platform in a system, but relies on a network 
administrator monitoring each computer in the network. Prior art systems cannot 
10 verify operation of remote computers running different operating systems on 
different networks, for example as accessed over the intemet. 

In known systems there is difficulty in establishing trust between a user of a 
computing platfomri and the computing platform. 

15 

gMmmary 9f thg Invention 

One object of the present invention is to provide a computing entity in which 
a user can have a high degree of confidence that the computing entity has not 
been corrupted by an external Influence, and is operating in a predictable and 
2 0 known manner. 

Another object of the present invention is to simplify a task of a user of a 
computing entity judging whether the trustworthiness of the computing entity is 
sufficient to perform a particular task or set of tasks or type of task required by the 

2 5 user. 

In the specific embodiments, the user is provided with a trusted token 
device which is portable and separable from a computer entity. The token device 
is trusted by the user to verify that a computer entity which the user wishes to use 

3 0 is trustworthy. In the general case, the token device is not restricted to verifying 



ived 15-12-99 21:22 



From-44 114 268 0931 



To-THE PATENT OFFICE Pace 08 




-5- 

the trustv^rthiness of one particular computer entity, but is generic to operate 
with any one or more of a plurality of computer entities. 

According to first aspect of the present Invention there is provided a system 
5 of computing apparatus comprising: 

a computing platform having a first data processor and a first data storage 
means; 

10 a monitoring component having a second data processor and a second 

data storage means, wherein said monitoring component is configured to perform 
a plurality of data checi» on said computing platfom^; and 

a toiten device being physically distinct and separable from said computing 
15 platform and said monitoring component, 

wherein in one mode of operation, said token device operates to mai^e an 
integrity challenge to said monitoring component and said tol^en device will not 
undertal^e specific acOons of which it is capable unless it receives a satisfactory 

2 0 response to said integrity challenge. 

Said token device may receive a detailed response to said integrity 
challenge, and process said integrity response to interpret said integrity 
response. 

25 

The system may further comprise a third party server, wherein a response 
to said integrity challenge is sent to said third party server. 

Said monitoring component may send a detailed integrity response to said 

3 0 third party sender if requested in the Integrity challenge by said token device. 
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Said monitoring component may report a detailed integrity response to said 
token device, and said token device may send said integrity response to said 
third party server, if it requires the third party server to help interpret said detailed 
5 integrity response. 

Said third party server may simplify said integrity response to a form in 
which said token device can interpret said integrity response. 

10 Said third party server may send said simplified integrity response to said 

token device. 

The system may further operate the steps of adding a digital signature data 
to said simplified integrity response, said digital signature data authenticating said 
15 third party server to said token device. 

Said token device may be requested to take an action. Alternatively, said 
token device may request to take an action. 

20 In one mode of operation, the token device may send image data to said 

computer platform if a said satisfactory response to said integrity challenge is 
received, and said computer platform may display said image data. 

Preferably said monitoring component is capable of establishing an identity 
25 of itself. 



Preferably the system further comprises an interface means for interfacing 
between said monitoring component and said token device. 
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Preferably said computing entrty is configured such that said monitoring 
component reports said data checks to said token device, said data checks 
containing data describing a status of said computer platfomi. 

A said specific action may comprise authorising said computing platfonm to 
undertake a transaction on behalf of a user of said system. 

According to a second aspect of the present invention there is provided s 
system of computing apparatus comprising: 



a computing platform having a first data processor and a first data storage 



a monitoring component having a second data processor and a second 
15 data storage means, wherein said monitoring component is configured to perform 
a plurality of data checks on said computing platform; and 

a token device being physically distinct and separable from said computing 
platform and said monitoring component, 

20 



Wherein said token device sends an integrity challenge to said monitoring 



said monitoring component generates a response to said integrity 



2 5 challenge; 

if said token device receives a satisfactory response to said integrity 
challenge, then said token device sends verification data to said computer 
platfomi, said verification data verifying correct operation of said computer 

3 0 platform; and 
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component; 
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said computer platform displays said verification data on a visual display 
screen. 

5 According to a third aspect of the present invention there is provided a 

computing entity comprising: 

a computing platform having a first data processor and first data storage 
means; 

10 

a monitoring component having a second data processor and second data 
storage means, wherein said monitoring component is configured to perform a 
plurality of data checks on said computing platform, said monitoring component 
being capable of establishing an identity of itself. 

15 

interface means for communicating with a token device, said interface 
means communicating with said monitoring component, 

wherein said computing entity is configured such that said monitoring 
20 component reports said data checks to said token device, said data checks 
containing data describing a status of said computer platform. 

Preferably on communication between said token device and said interface 
means, said monitoring component is activated to perform a monitoring operation 
2 5 on said computer platform, in which said monitoring component obtains data 
describing an operating status of said computer platform. 

Said interface means is resident substantially wholly within said monitoring 
component in a best mode implementation. In an alternative implementation, said 
30 interface means may comprise said computer platform. 



ei vad 
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Said interface means preferably comprises a PCSC stack in accordance 
with PCSC Workgroup PC/SC Specification 1 .0. 

5 Said monitoring component may comprise a verification means configured 

to obtain a certification data independently certifying said status data, and to 
provide said certification data to said interface means. 

Said interface means may be configured to send and receive data 
10 according to a pn>active protocol. 

According to a fourth aspect of the present invention there is provided a 
method of obtaining verification of a state of a computer entity, said computer 
entity comprising a computer platform comprising a first data processor and a first 
15 memory means, and a monitoring component comprising a second data 
processor and a second memory means, said method comprising the steps of: 

receiving an interrogation request signal via an interface of said computing 
entity; 

20 

said monitoring component performing a monitoring operation of said 
computer platform in response to a said received interrogation request signal; 
and 

2 5 said monitoring component reporting a result message to said interface, 

said result message describing a result of said monitoring operation. 



Said monitoring operation may comprise the steps of: 
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said monitoring component canying out one or a plurality of data checks on 
components of said computing platform; 

said monitoring component being able to report a set of certified reference 
5 data together with said data checks. 

Said certified reference data may include a set of metrics to be expected 
when measuring particular components of said computing platform, and may 
include digital signature data identifying an entity that certifies said reference 



Preferably said step of reporting verification of said monitoring operation 
comprises sending a confirmation signal to a token device said confimiation 
signal describing a result of said monitoring operation. 



Preferably said result message is transmitted by said interface to a token 
device external of said computing entity. 

A result of said monitoring operation may be reported by generating a visual 
2 0 display of confimriation data. 



10 



data. 



15 



The method may further comprise the steps of: 



adding a digital signature data to said result message, said digital signature 
2 5 data identifying said monitoring component; 



transmitting said result message and said digital signature data from said 
interface. 
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According to a fifth aspect of the present invention there is provided a 
method of obtaining verification of a state of a computer entity, said computer 
entity comprising a computer platform and a monitoring component, said method 
comprising the steps of: 

5 

an application requesting access to a functionality from a said token device; 

in response to said request for access to functionality, said token device 
generating a request signal requesting a verification data from said monitoring 
10 component; 

in response to said request for verification, said monitoring component 
reports a result message to said token device, said result message describing a 
result of a monitoring operation; 

15 

by receipt of a satisfactory said result message, said token device offers 
said functionality to said application. 

The method may further comprise a response to said integrity challenge 
20 being sent to said third party server. 

Said monitoring component may send a detailed integrity response to said 
third party server if requested in the integrity challenge by said token device. 

25 The said monitoring component may report a detailed integrity response to 

said token device, and said token device may send said integrity response to said 
third party server, if it requires the third party server to help interpret said detailed 
integrity response. 
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Said third party server may simplify said integrity response to a form in 
which said token device can interpret said Integrity response. 

Said third party sen/er may send said simplified integrity response to said 
5 token device. 

The method may further operate the step of adding a digital signature data 
to said simplified integrity response, said digital signature data authenticating said 
third party server to said token device. 



Said token device may be requested to take an action. Alternatively, said 
token device may request to take an action. 

According to a sixth aspect of the present invention there is provided a 
15 method of checking an integrity of operation of a computing entity, said 
computing entity comprising a computer platfonm having a first processor means 
and first data storage means, and a monitoring component comprising a second 
processor and second memory means, by means of a token device, said token 
device comprising a third data processor and a third memory means, said 
2 0 method comprising the steps of: 

prx>gramming said token device to respond to a received poll signal from an 
application program, said poll signal received from said computer platform; 

2 5 said token device receiving a poll signal from said computer platform; 



10 



in response to said received poll signal, said token device generating a 
signal for requesting a verification operation by said monitoring component; and 



21 :Z9 
1999 21 : 33 



44 114 zee 0931 
FROM FRRNKS 8. CO 



P. 09 R-919 Job-B90 

TO UKPG CMftlN NOD 



P. 09/31 



-13- 



said monitoring component perfomning a verification operation of said 
computer platfomi in response to said received signal from said token device. 

Accoitling to a seventh aspect of the present invention there is provided a 
token device for verifying a status of a computing entity, said token device 
comprising: 



a data storage device: and 



means for communicating with a computing entity: 

wherein said data storage device is configured to store a status request 
message for requesting a status data from said computing entity. 

Said token device may further comprise a data processor. 

Said token device may be configured to be responsive to a poll signal 
operating in accordance with PC/SC specification 1.0. said token device may be 
capable of initiating a command to be handled by a software stack on the 
computer entity In response to said poll signal according to a proactive protocol- 
According to an eighth aspect of the present invention there is provided a 
method of verifying a status of a computing entity, by means of a token device 
provided external of said computing entity, said method comprising the steps of: 

said token device receiving a poll signal: 



said token device responding to said poll signal by providing a request 
obtaining verification of a state of said computer entity; and 
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said token device receiving a result message, said result message 
describing the result of said verification. 

The method may further comprise sending a response to said integrity 
5 challenge to said third party server. 

Said monitoring component may send a detailed integrity response to said 
third party server if requested in the integrity challenge by said token device. 

10 Said monitoring component may report a detailed integrity response to said 

token device, and said token device may send said integrity response to said 
third party server, if it requires the third party server to help interpret said detailed 
integrity response. 

15 Said third party server may simplify said integrity response to a form in 

which said token device can interpret said integrity response. 

Said third party server may send said simplified integrity response to said 
token device. 

20 

The system may further operate the step of adding a digital signature data 
to said simplified integrity response, said digital signature data authenticating said 
third party server to said token device. 

2 5 Said token device may be requested to take an action. Alternatively, said 

token device may request to take an action. 

The invention includes a method by which a token device can obtain 
verification of a state of a computing platform by using a monitoring component. 
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said monitoring component being capable of performing at least one data 
check on said computer platform, and establishing an identity of itself . and 
establishing a report of said at least one data check; and 

wherein said token device has data processing capability and behaves in 
an expected manner; 

said token device being physically separable from said computing platform 
and said monitoring component, said token device having cryptographic data 
processing capability 

wherein, said monitoring component proves its identity to said token 
device and establishes a report to said token device of at least one data check 
performed on said computing platform. 

The invention includes a token device comprising a data processor and a 
memory device, said token device configured to perform at least one data 
processing or signaling function: 

wherein said token device operates to: 

receive an integrity check data from an extemal source; 

if said integrity check data supplied to said token device is satisfactory, then 
said token device allows a said function; and 



if said integrity check data received by said token device is unsatisfactory, 
then said token device denies said function. 



P-12 R-919 Job-690 

TO UKPO CMflIN NOD P. 12/31 

16- 

Brief Descrip tion of the Drawings 

For a better understanding of the Invention and to show how the same may 
be earned into effect, there will now be described by way of example only, 
specific embodiments, methods and processes according to the present 
5 invention with reference to the accompanying drawings in which: 

Fig. 1 illustrates schematically a computer entity according to a first specific 
embodiment of the present invention; 

10 Fig. 2 illustrates schematically connectivity of selected components of the 

computer entity of Fig. 1 ; 

Fig. 3 illustrates schematically a hardware architecture of components of the 
computer entity of Fig. 1 ; 

15 

Fig. 4 illustrates schematically an architecture of a trusted component 
comprising the computer entity of Fig. 1 ; 

Fig. 5 illustrates schematically a logical architecture of the computer entity, 
2 0 divided into a monitored user space resident on a computer platform and a 
trusted space resident on the trusted component; 

Fig. 6 illustrates schematically components of a smartcard token device for 
insertion into a smartcard reader of the computing entity; 

25 

Fig. 7 illustrates schematically a set of process steps carried out by a 
smartcard and computing entity according to a first use model; 
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Fig. 8 illustrates schematically a second mode of operation of the computing 
entity and smartcard in which an application requests authorization from the 
smartcard; 

Fig. 9 illustrates schematically communication between the smartcard and 
an interface module comprising the computing entity; 



Fig. 10 illustrates schematically a third mode of operatfon of the smartcard 
and computing entity in which the smartcard authenticates operation of the 
10 computing entity; 

Fig. 11 illustrates schematically a computing system comprising a 
computing entity, a token device, and a remote trusted sender, in which the token 
device delegates computation of a crypted integrity metrics to the trusted server 
15 in order to verify Infomation received from a tmsted component within a 
computing entity; 

Fig. 12 illustrates schematically a mode of operation of the system of Fig. 1 1 
in which integrity metric data is sent from a tmsted component to a token device 
20 and the token device then sends the data to a tmsted server for data processing 
according to fourth mode of operation; 

Fig. 13 illustrates schematically an operation of the system of Fig. 11 in 
which the smartcard verifies the tmstworthiness of a computing entity, by 
25 obtaining a certificate from a tmsted third party according to a fifth mode of 
operation; 



30 



Fig. 14 illustrates schematically operation of the system of Fig. 1 1 from the 
point of view of a smartcard, for receiving a digital certificate and digital signature 
data from a tmsted component according to a sixth mode of operation; 
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Fig, 15 illustrates schematically a third specific emtwdiment implementation 
of a system according to the present invention in which conventional PCSC 
technology Is used to communicate with a smartcand, and in which the smartcard 
5 is able to give authorization for a transaction to a prior art application program, 
which operates through a subsystem interface to a trusted component; 

Fig. 16 illustrates schematically operation of the embodiment shown in Fig. 
15 enabling a smartcard to allow authorization for a transaction after having 
10 received confirmation of a trustworthy state of a computer entity with which it is 
co-operating. 

Detailed Description of the Best Mode for Carrying Out the Invention 

There will now be described by way of example the best mode 
15 contemplated by the inventors for carrying out the invention. In the following 
description numerous specific details are set forth in order to provide a thorough 
understanding of the present invention. It will be apparent however, to one 
skilled in the art. that the present invention may be practiced without limitation to 
these specific details. In other instances, well known methods and structures 
20 have not been described in detail so as not to unnecessarily obscure the present 
invention. 

Specific implementations of the present invention comprise a computer 
platform having a processing means and a memory means, and a monitoring 

25 component which is physically associated with the computer platform, and known 
herein after as a trusted component" which monitors operation of the computer 
platform by collecting metrics data from the computer platform, and which is 
capable of verifying to other entities interacting with the computer platform, the 
correct functioning of the computer platform, A token device which may be 

3 0 personal to a human user of computer platform interacts with a trusted 
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component associated wrth the computer platform to verify to the human user the 
trustworthiness of the computer platform. 

A user of a computing entity established a level of tmst with the computer 
entity by use of such a trusted token device. The tmsted token device is a 
personal and portable device having a data processing capabilrty and in v^rhich 
the user has a high level of confidence. The trusted token device may perfomn 
the functions of: 

• verifying a correct operation of a computing platform in a manner which Is 
readily apparent to the user, for example by audio or visual display; 

• challenging a monitoring component to provide evidence of a con-eel 
operation of a computer platfomn with which the monitoring component is 
associated; and 

« establishing a level of interaction of the token device with a computing 
platform, depending on whether a monitoring component has pnavided 
satisfactory evidence of a correct operation of the computing entity, and 
withholding specific interactions with the computer entity if such evidence of 
correct operation is not received by the token device. 

The token device may be requested to take an action, for example by an 
application resident on the computing platfomn. or by remote application, or 
altematively the token device may initiate an action itself. 



In this specification, the temn "trusted" when used in relation to a physical or 
logical component, is used to mean that the physical or logical component always 
behaves in an expected manner. The behavior of that component is predictable 
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and known. Trusted components have a high degree of resistance to 
unauthorized modification. 

In this specification, the temn 'computer entity is used to describe a 
computer platform and a monitoring component. 

In this specification, the temn "computer platforni" is used to refer to at least 
one data processor and at least one data storage means, usually but not 
essentially with associated communications facilities e.g. a plurality of drivers, 
associated applications and data files, and which may be capable of interacting 
with external entities e.g. a user or another computer platform, for example by 
means of connection to the internet, connection to an external network, or by 
having an input port capable of receiving data stored on a data storage medium, 
e.g. a CD ROM, floppy disk, ribbon tape or the like. The tenn "computer 
platform" encompasses the main data processing and storage facility of a 
computer entity. 

By use of a trusted component In each computing entity, there is enabled a 
level of tmst between different computing platfomis. It is possible to query such a 
platfonn about its state, and to compare it to a tmsted state, either remotely, or 
through a monitor on the computer entity. The infomiation gathered by such a 
query is provided by the computing entity's trusted component which nrmnitors the 
various parameters of the platfonm. Infomiation provided by the trusted 
component can be authenticated by cryptographic authentication, and can be 
trusted. 



The presence of the tmsted component makes it possible for a piece of third 
party software, either remote or local to the computing entity to communicate with 
the computing entity in order to obtain proof of its authenticity and identity and to 
3 0 retrieve measured integrity metrics of that computing entity. The third party 
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soflware can then compare the metrics obtained from the trusted component 
against expected metrics in order to determine whether a state of the queried 
computing entity is appropriate for the interactions which the third party software 
item seeks to make with the computing entity, for example commercial 
transaction processes. 

This type of integrity verification between computing entitles worths well in 
the context of third party software communicating with a computing entity's 
tmsted component, but does not provide a means for a human user to gain a 
level of trustworthy interaction with his or her computing entity, or any other 
computing entity which that person may interact with by means of a user 
interface. 



In the best mode implementation described herein, a tmsted token device is 
15 used by a user to intenogate a computing entity's tmsted component and to 
report to the user on the state of the computing entity, as verified by the tmsted 
component. 

Refemng to Fig. 1 herein, there is Illustrated schematically one example of a 
computer entity according to a first specific implementation of the present 
Invention. Referring to Fig. 2 of the accompanying drawings, there is Illustrated 
schematically physical connectivity of some of the components of the computer 
entity of Fig. 1 . Refemng to Fig. 3 herein, there is illustrated schematically an 
atxihitecture of the computer entity of Figs. 1 and 2, showing physical connectivity 
of components of the entity. 

In general, in the best mode described herein, a computer entity comprises 
a computer platform consisting of a first data processor, and a first memory 
means, together with a tmsted component which verifies the integrity and correct 
30 functioning of the computing platform. The tmsted component comprises a 
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second data processor and a second memory means, which are physically and 
logically distinct from the first data processor and first memory means. The 
computer entity is provided with a smartcard reader port into which a user's 
smartcard can be inserted. The smartcard perfomns the function of being a 
5 trusted token' which a human user uses as a tool for verifying the integrity of a 
computing entity which is being used. Having verified the trustworthiness of the 
computing entity, by means of the user's trusted token device having 
corresponded with a trusted component in the computer entity, the user can then 
have confidence of the trustworthiness of the computing platform of the 
10 computing entity^ and therefore have a higher level of confidence in using said 
computer platform. 

In the example shown in Figs. 1 to 3 herein, the trusted computer entity is 
shown in the form of a personal computer suitable for domestic use or business 

15 use. However, it will be understood by those skilled in the art that this is just one 
specific embodiment of the invention, and other embodiments of the invention 
may take the form of a palmtop computer, a laptop computer, a server-type 
computer, a mobile phone-type computer, or the like and the Invention is limited 
only by the scope of the claims herein. In the best mode example described 

2 0 herein, the computer entity comprises a display monitor 100; a keyboard data 
entry means 101; a casing 102 comprising a motherboard on which is mounted a 
data processor; one or more data storage means e.g. hard disk drives; a dynamic 
random access memory; various input and output ports (not illustrated in Fig. 1); 
a smartcard reader 103 for accepting a user's smartcard 105; a pointing device. 

2 5 e.g. a mouse or trackball device 106; and a trusted component for monitoring 

operations of the computing entity. 

The user's smartcard 105 itself does not comprise the computing entity, but 
is a separate token device which interacts with the computing entity via the 

3 0 smartcard reader port 103. A user may have several different smartcards issued 
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by several different vendors or sen^ice providers, and may gain access to the 
internet or a plurality of network computers from any one of a plur^allty of 
computing entities as described lierein, which are provided with a trusted 
component and smartcard reader. A user's tmst in the individual computing 
5 entity to v^^hich s/he is using is derived from the interaction between the user's 
trusted smartcard token and the trusted component of the computing entity. The 
user relies on their trusted smartcard token to verify the tmstworthiness of the 
trusted componerrt. 

10 Referring to Fig. 2 herein, there are illustrated some of the components 

comprising the trusted computer entity, including keyboard 101. which 
incorporates confirmation key 104 and smartcard reader 103; a main 
motherix>ard 200 on which is mounted first data processor 201 and tmsted 
component 202. an example of a hard disc drive 203. and nrwnitor 100. 

15 Additional components of the tnjsted computer entity include an internal frame to 
the casing 102. housing one or more local area networit (LAN) ports, one or more 
modem ports, one or more power supplies, cooling fans and the like (not shown 
in Fig. 2). 

20 In the best mode herein, as illustrated in Fig. 3 herein, main motherboard 

200 is manufactured comprising a first data processor 201; and preferably a 
permanently fixed trusted component 202; a local memory device 300 to the first 
data processor, the local memory device being a fast access memory area, e.g. a 
random access memory; a BIOS memory area 301; smartcard interface 305; a 

25 plurality of control lines 302; a plurality of address lines 303; a confirmation key 
interface 306; and a data bus 304 connecting the processor 201. toisted 
component 202. memory area 300. a BIOS memory component 301 and 
smartcard interface 305. 



15-12-99 21 :23 44 1 14 266 0931 

15-DEC-1999 21:36 FROM FRftNKS & CO 



P. 20 R-919 Job-690 

TO UKPO CMP IN NO) P. 20/31 



-24- 

External to the mothertward and connected thereto by data bus 304 are 
provided the one or nnore hard disk drive memory devices 203, keyboard data 
entry device 101, pointing device 106, e.g. a mouse, trackball device or the like; 
monitor device 100; smartcard reader device 103 for accepting a smartcard 
5 device as described previously; the disk drive(s), keyboard, monitor, and pointing 
device being able to communicate with processor 201 via said data bus 304; and 
one or more peripheral devices 307, 308, for example a modem, printer scanner 
or other known peripheral device. 

10 In a best mode implementation, trusted component 202 is positioned 

logically and physically between monitor 100 and processor 201 of the computing 
platform, so that the trusted component 202 has direct control over the views 
displayed on monitor 100 which cannot be interfered with by processor 201 . 

15 The trusted component lends its identity and tnjsted processes to the 

computer platform and the trusted component has those properties by virtue of its 
tamper-resistance, resistance to forgery, and resistance to counterfeiting. Only 
selected entities with appropriate authentication mechanisms are able to 
influence the processes running inside the trusted component. Neither a user of 

20 the trusted computer entity, nor anyone or any entity connected via a network to 
the computer entity may access or interfere with the processes running inside the 
trusted component. The taisted component has the property of being "inviolate". 

In the best mode, smartcard reader 103 is wired directly to smartcard 
2 5 interface 305 on the mothertxDard and does not connect directly to data bus 304. 
Alternatively, smartcard reader 1 03 may be connected directly to data bus 304. 
On each individual smartcard may be stored a corresponding respective image 
data wliich is different for each smartcard. For user interactions with the trusted 
component, e.g. for a dialogue box monitor display generated by the trusted 
30 component, the trusted component may take the image data from the user's 
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smartcarti, and uses this as a background to the dialogue box displayed on the 
monitor 100. Thus, the user has confidence that the dialogue box displayed on 
the monitor 100 is generated by the tmsted component. The image data is 
preferably easily recognizable by a human being in a manner such that any 
forgeries would be immediately apparent visually to a user. For example, the 
image data may comprise a photograph of a user. The image data on the 
smartcard may be unique to a person using the smartcard. 

Referring to Fig. 4 herein, there is illustrated schematically an internal 
architecture of trusted component 202. The taisted component comprises a 
processor 400. a volatile memory area 401; a non-volatile memory area 402; a 
memory area storing native code 403; and a memory area storing one or a 
plurality of cryptographic functions, 404. the non-volatile memory 402. native 
code memory 403 and cryptographic memory 404 collectively comprising the 
second memory means herein before referred to. The trusted component is 
capable of storing programs and algorithms for interfacing with applications on 
the computer platform, or a remote computer platform; a verification interface 510 
for pro-actively making integrity check measurements on the computer platforms; 
and an application interface 512. 

Referring to Fig. 5 herein, there is illustrated schematically a logical 
architecture of the computer entity 500. The logical architecture has a same basic 
division between the computer platform, and the trusted component, as is present 
with the physical architecture described in Figs, 1 to 3 herein. That is to say. the 
tmsted component is logically distinct from the computer platform to which it is 
physically related. The computer entity comprises a user space 501 being a 
logical space which is physically resident on the computer platform (the first 
processor and first data storage means) and a trusted component space 502 
being a logical space which is physically resident on the trusted component 202. 
In the user space 501 are one or a plurality of drivers 503, one or a plurality of 
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applications programs 504, a file storage area 505; smartcard reader 103; 
smartcard interface 305; and a software agent 506 which can perform operations 
in the user space and report back to taisted component 202. The trusted 
component space is a logical area based upon and physically resident in the 
5 trusted component, supported by the second data processor and second memory 
area of the trusted component. Monitor 1 00 receives images directly from the 
trusted component space 502. Extemal to the computer entity are extemal 
communications networks e.g. the Intemet 507, and various local area networks, 
wide area networks 508 which are connected to the user space via the drivers 
10 503 which may Include one or more modem ports. Extemal user smartcand 509 
inputs into smartcard reader 1 03 in the user space. 

Refening to Fig. 6 herein, there is illustrated schematically main 
components of a smartcard configured for use as a tmsted token device. The 

15 smartcard comprises a base portion 600, for example of plastics sheet material; a 
read only memory area 601; a programmable memory area 602; a processor 
603. and an array of connection contacts 604 by means of which the processor, 
and menriory areas can connect with smartcard reader 103 of the computing 
entity for communication between the smartcard and the computing entity. In the 

2 0 general case, the smartcard does not contain its own power supply, electrical 
power to the memory areas and processor of the smartcard being provided by 
the computing entity via the smartcard reader 103. 

Several different implementations of the invention are possible. In a best 
2 5 mode first implementation, the monitor 100 may be driven directly by a monitor 
subsystem contained within the trusted component itsetf. In this embodiment, in 
the trusted component space are resident the trusted component itself, and 
displays generated by the trusted component on monitor 100. 
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In the best mode first implementation, the subsystem 511 resides on the 
computer platform, and provides interfaces between the smartcard reader, the 
trusted component and the monitor. The subsystem functionality is built into the 
tnjsted component, and resides within the trusted space. The subsystem 51 1 
s interfaces between the computer platform and smartcard, and the trusted 
component. 

The subsystem is not critical for maintaining trust in the trusted component, 
in other implementations, the subsystem optionally can reside on the computer 
platform in the 'untmsted' computer platform space. 

In a second implementation, tmsted component 502 is accessed via the 
smartcard reader 103 and smartcard interface 305 via a software subsystem 51 1 . 
The subsystem also provides an application interface function 512 for interfacing 
15 between applications 504 and the trusted component 502; and a verification 
application 513 for verifying via a third party accessed over the internet, or via a 
local area network/wide area network, integrity metrics data obtained by tnjsted 
component 502, 

2 0 The trust placed in the computer entity by a user is composed of three 
separate parts; 

• Trust placed in the user's trusted token device. 

• The trust placed in the trusted component. 

25 

As described herein, levels or degrees of trust placed in the computer entity 
are determined as being relative to a level of trust which is placed in the tmsted 
component and the smartcard. Although the amount of trust in a computer entity 
is related to many factors, a key factor in measuring that trust are the types, 

3 0 extent and regularity of integrity metrics checks which the trusted component 



P.Z3 R-919 Job-630 

TO UKPO CmiN NO) P. 23/31 



-27- 




44 114 268 0331 



P. 24 R-919 
TO LKPO CMAIN NO) 



Job-590 



15-DEC-1999 21:37 



FROM FRRNKS & CO 



P. 24/31 



• 



-28- 

itself carries out on the cximputer entity, and the type, regularity and quality of the 
checks the smartcard makes on the trusted component. 

Once the user has established by use of their smartcard that the taisted 
5 component is operating con^ectly, the tmsted component is Implicitly trusted. The 
trusted component is embedded as the root of any trust which is placed in the 
computing platform and the computing platform as a whole cannot be any more 
trusted than the amount of trust placed in the trusted component. 

10 Although other computing entities can interact directly with a trusted 

comF>onent, by means of encrypted messages, to verify the operation of a trusted 
component, a human user operating a computing entity cannot directly interface 
with a trusted component because the human user is a biological entity who is 
not capable of generating digital encrypted signals. The human user must rely on 

15 his visual and audio senses to verify the tmstworthiness of a computing entity. 
The human user, in the general case, has no knowledge of the mechanisms at 
work inside the computing entity, and in the general case will be of an average 
level of education and sophistication, that is to say a normal average person. 

20 The user is therefore provided with a trusted token in the form of a 

smartcard, in which the user may place a high degree of trust The user's 
smartcard can interact with the trusted component of the computer entity in order 
to: 

25 • Prove the identity of a trusted component to the user 



• Verify that the computer platform inside the computing entity is operating 
correctly, by virtue of integrity metrics measurement carried out on the computer 
platform by the trusted component. 
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Therefore, in the system of computing entities, there are chains of tnjst 
involved as follows: 

• The user must tmst the trusted token. This trust is based upon the 
5 reputation of the provider of the taisted token, who will typically be a corporation 

having access to the necessary technical and engineering resources to enable 
correct operation of the trusted token. 

• Trust between the trusted token and tmsted component The trusted 
10 token smartcard must be able to verify correct operation of the trusted component 

using the smartcard. 

• Trust in the computer platform. The trust in the computer platform derives 
from the monitoring of the computer platfonm by the trusted component, which is 

15 itself trusted. 

Within this chain of trust, the link between the user and a computer entity 
can be viewed from the perspective of the user, the trusted platform which the 
user is using, and from the perspective of the trusted token (the smartcard), as 
2 0 described hereunder. 

From the user's point-of-view, the user can only trust what s/he sees on the 
computer screen, and what s/he hears on the computer's audio output and/or 
printed output. The user is provided with a trusted token in the form of a 
2 5 smartcard which can be inserted into smartcard reader 103 of the computing 
entity. The smartcard carries out interactions using cryptographic messages and 
interrogations on behalf of the user. The smartcard is capable of initiating a 
request to the trusted component to perform integrity metrics, and is capable of 
denying authorization to application programs in the event that the smartcard 
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does not receive a satisfactory response to a request for verification fi^m a 
trusted component. 

In each specific implementation for carrying out the invention, the computing 
5 entity has a plurality of modes of operation. 

Refening to Fig. 7 herein, there is illustrated a first mode of operation of a 
computer system comprising a computing entity and a smartcard under control of 
a user following a first process. In the process of Fig. 7. there is no application 

10 residing on the computing entity which requires use of the user's smartcard. The 
user is simply verifying the tmstworthiness of the computing platfonn within the 
computer entity with the aid of the smartcard. In general, a user will wish to 
check the integrity of a computing entity as soon as the user logs on. and before 
the user performs any sensitive operations. The smartcard can be programmed 

15 to verify the integrity of the computing entity, via its trusted component, before the 
user canies out any other tasks using the computing entity. In step 700, a user 
inserts the smartcard into the smartcard reader of the computing entity which 
s/he is to use. In step 701, the user starts to use the graphical user interface of 
the computing platform. In step 702, a verification application 513 whose 

20 purpose is to enable a user having a smartcard to check the integrity of a trusted 
component of the computing entity and which is pre-loaded onto the computer 
platform, is activated by the user. Such activation may be by activating a pointing 
device, e.g. a mouse or track-ball which is visually placed over an icon displayed 
on a visual display of the computing entity. The verification interface 510 

25 receives the commands from the graphical user interface for initiating a check of 
the trusted component by the smartcard and processes these into instructions in 
a fonn in which the smartcard can be instructed by the application to commence 
a verification process. In step 703, the interface sends a request signal to the 
smartcard requesting the smartcard to commence a verification operation on the 

3 0 trusted component. In step 704, the smartcard carries out integrity checks on the 
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trusted component. All communications between the smartcard and the trusted 
component are in encrypted fomnat. The precise method by which the smartcard 
verifies the Integrity of the tmsted component is by a challenge-response Integrity 
check method which Is subject of a separate patent application by the applicants 
5 and is beyond the scope of this disdosure. In step 705 the smartcard. having 
completed the integrity check on the tmsted component reports back to the user 
by displaying on the graphical user interface. The tmsted component may report 
back to the user using the graphical user interface by a variety of methods, some 
of which are the subject of separate patent applications by the applicant, and 
1 0 which are outside the scope of this disclosure. 

In one such method, the smartcard uses the tmsted component to control 
the display on the monitor 100 to display information describing the computer 
platform, which has been detemnlned by the tmsted component, and in which an 

15 image specific to the smartcard Is displayed on the visual display unit. For 
example, the smartcard may contain a difficult to recreate image data, preferably 
known only to the user. The tmsted component may retrieve this image data from 
the smartcard and display it on the monitor, combined with other information 
describing integrity metrics and operation of the computer platform. Because the 

2 0 computing entity has no other way of obtaining the image data except from the 
user's smartcard. where It Is pre-stored, and because the user can visually 
identify with a high degree of accuracy that the image is genuine, by visual 
inspection, the user then has confidence that the computing entity has in fact 
interacted with the smartcard (othenwise the image would not be obtainable). 



Alternatively, in step 705, instead of the Image data being displayed on the 
monitor of a computing entity which Is being checked, the user may remove his 
smartcard from the smartcard reader, and insert the smartcard into his own 
palmtop device. The palmtop device is personal to the user, and therefore the 
30 user may tmst the palmtop device to a higher extent than the computer entity. 



25 
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The palmtop reader reads data from the smartcand verifying that the computer 
entity has passed the challenge-response tests made by the smartcard. The 
palmtop computer then displays to the user the information that the computer 
entity has passed the challenge-response test set by the smartcard. The user 
5 takes this as verification that the computing entity is tnjsted. 

The above method operates where a user wishes to use a computing entity, 
and simply wishes to know whether the computing entity can be tnjsted. 

10 Refening to Fig. 8 herein, there is illustrated schematically a second mode 

of operation in a case where an application resident on the computing entity, or 
resident on a remote computing entity with which the user wishes to 
communicate, requires that a user authorizes an operation, for example a 
commercial transaction operation. 

15 

The smartcard is configured by a system administrator, or smartcard service 
provider with details particular to the user. In step 800, the user inserts the 
smartcard into the smartcard reader of the computing entity. In step 801 the 
application or the operating system of the computing entity requests data from 

2 0 the smartcand. In step 803, the smartcard responds by sending a delay message 
to the computing entity, and requesting from the computing entity access to the 
computing entity's trusted component^ so that the smartcard can verify the 
integrity of the computing entity. In step 804, the smartcard corresponds with the 
trusted component of the computing entity by means of integrity checks 

25 according to a challenge-response process as described herein above, to check 
the integrity of the computing entity. In step 805, if the smartcard detemriines that 
the integrity checks have been satisfied by the trusted component, the smartcard 
proceeds to respond to the request from the operating system or application for 
data for completing the operation. 
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The smartcard is programmed In such a way that the smartcard will never 
accept an interaction with an application, for example for the purposes of 
authentication, or to provide some cryptographic senrices, unless it can first verify 
the integrity of the computing entity to which it Is connected by means of 
5 correspondence with a trusted component of the computing entity, in which the 
tnjsted component authenticates and checks integrity metrics of the computing 
platform. In this way, the user, who implicitly tnjsts the smartcard. is confident 
that his smartcard will only accept to be used by an application once It has 
verified that it Is in a tmsted environment. The smartcard does not need to 

1 0 explicitly report the results of the integrity checks to the user. The mere fact that 
an application has requested an interaction with a smartcard and that requested 
interaction has been satisfied is proof that the smartcard has been able to carry 
out this check and is satisfied with the result. Whether the smartcard accepts or 
rejects an interaction with an application is based upon pre-determined policies 

15 which are pre-programmed onto the smartcard by the smartcard issuer, or which 
can be configured by a user by programming the smartcard. 

Configuration of the smartcard memory may be made by a user if this 
facility is provided by a smartcard vendor. For example a purchaser of a personal 

2 0 computer may be able to configure his own smartcard to operate according to 

user preferences. The smartcard may be pre-configured such that a user may be 
able to program the smartcard to interact with a computing entity in a Microsoft 
Windows ™ environment, even where a trusted component does not exist in a 
computing entity. A smartcard vendor may enable programming of a smartcard 
25 through a device such as a PDA palmtop computer. The precise configuration of 
the capabilities of each smartcard are specified by the smartcard provider as a 
design issue. 

As another example, an intemet service provider may provide a smartcard 

3 0 which only identifies itself correctly to the intemet service provider, when it can 
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verify that the computing entity into which it is inserted, has passed various 
integrity checks specified by the smartcard. This provides protection for the 
internet service provider, to be able to confinn that a user will not connect to the 
internet service using an untrusted computer, which may be carrying viruses. 

5 

An advantage of the above two methods is that they do not require initiation 
by user interaction, but are initiated by the action of the smartcard being entered 
into the smartcard reader of a computer entity. 

10 Referring to Fig. 9 herein, there will now be described one example of an 

operation of the computer entity during its interaction with a smartcard adapted 
as a trusted token. This example is based upon known technology according to 
the PCSC specification found in standard ISO 7816, and viewable at 
www, DCScwQrkgrouD.com , which in the best mode is modified to allow initiation of 

15 commands from the smartcard. 



Interaction between a smartcard and the trusted component allows the 
smartcard to authenticate the correct operation of the trusted component, and to 
obtain the trusted components response regarding integrity of the computer 

2 0 platform which the trusted component monitors. In a best mode implementation, 
the integrity verification process allows that the trusted component reports an 
interpreted result of a verification of correct operation of the computing entity to 
the smartcard. However in another mode of implementation the trusted 
component may not provide the mechanism to interpret the integrity 

25 measurements for the smartcard. In that case the smartcard must have access to 
a trusted third party server which provides this functionality. 



30 



Typically access to a trusted third party sen/er by the smartcard will require 
the presence of a mechanism so that the smartcard can request such access to 
be provided by the computing entity. 
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Assuming you have a smartcard which can initiate a command to a trusted 
component, communicate with the trusted component for exchange of messages 
and infomiation. send requests for information, receive results from the trusted 
component in response to those requests, and request access to third parly 
server to be provided by the computing entity then integrity verification of the 
tmsted component to the smartcard can be achieved. Implementation of initiation 
of user commands from a smartcard is known in "smartcards - from security 
tokens to intelligent adjuncts", by Boris Balacheff. Bmno Van Wilder, and David 
Chan published in CARDIS 1998 Proceedings. 



Referring to Fig. 1 0 herein there is illustrated process steps carried out from 
a view point of the tmsted component for verification of a computer platfbnn in 

15 response to a request for a smartcard. In step 1000 the smartcard authenticates 
the tnjsted component as described herein before. In step 1001 the smartcard 
requests the trusted component to report on the integrity metrics of the computer 
platform, to the smartcard. In step 1002. the tmsted component reports these to 
the smartcard. In step 1002. the tmsted component may report back to the 

2 0 smartcard using the integrity metrics alone, for example a one way hash function 
of the BIOS of a processor of a computer platfomi which Is transmitted to the 
smartcard. Integrity metrics can be checked by the smartcard in a relatively 
straight forward way in the best mode implementation, because the functionality 
exists within the tmsted component to enable the tmsted component to be 

25 requested to perfonn integrity metrics and verify the integrity metrics of an 
associated computer platfonn to a third party requesting those integrity metrics. 
This is the most basic form. 

Referring to Fig. 11 herein, there is illustrated schematically a system of 
30 computer apparatus comprising a computing entity 1100 comprising a computer 
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platform and a monitoring component as described herein before; a trusted token 
device 1 101 capable of communicating with computing entity 1 100; and a remote 
server 1102 capable of carrying out data processing functionality. The remote 
server 1102, also comprises a second computing platform and second monitoring 
component. In use. the remote server 1102 may be managed by a reliable 
service provider, for example an intemet service provider, in which a user of a 
trusted token device may have a degree of trust established through, for 
example, a contractual relationship with the intemet service provider, such as 
subscribing to a service provided by the intemet service provider. 



Referring to Fig. 12 herein, there is illustrated schematically a fourth mode 
of operation of a token device and a computing entity within the system of 
computers illustrated in Fig, 11. In the fourth mode of operation, a monitoring 
component (trusted component) within the computing entity 1100 is requested by 

15 the smartcard 1101 to provide a set of data checks on the computer platform 
within the computing entity 1100. Tmsted token device 1101 may not have a 
sufficiently high data processing capability to carry out data processing on data 
supplied by the computer entity 1100. Therefore, the computer entity sends the 
integrity metrics data to a remote server 1 102 trusted by smartcard, which verifies 

2 0 that the integrity metrics data supplied by the monitoring component is correct by 
comparing this with a set of expected integrity metrics. The expected integrity 
metrics may be either supplied by the monitoring component rtself, from pre- 
stored data within that component or where the computer platform is of a 
common type, the trusted server 1102 may store sets of expected Integrity 

2 5 metrics for that type of computer platform. In either case, the trusted server 1 1 02 
pert'orms the heavy computational data processing required for verification of the 
integrity metrics v/ith the expected integrity metrics, and digitally signs the result 
of this verification. 
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DependinQ upon how the token device is pre-programmed and the amount 
of data processing capability resident on the trusted token device, there are two 
modes of operation- 

5 In step 1200, the tnjsted token authenticates the tmsted component as 

described herein before. In step 1201 the smartcard requests the trusted 
component to verify the integrity metrics of the computer platform, and to report 
back to the smartcard. In step 1202, the trusted component, having available the 
integrity metrics data as part of Its ongoing monitoring of the computer platform, 

10 sends the Integrity metrics data to the smartcard, along with a set of certified 
expected integrity metrics for that computer platform. In step 1203, the smartcard 
sends the received integrity metrics data and The certified expected integrity 
metrics data to the trusted third party server for computation. This message also 
includes an identification of the smartcard device itself. Sending of the integrity 

15 metrics data and expected integrity metrics data from the smartcard to the trusted 
server is via the computer entity itself, which routes the data, for example over 
the intemet, to the remote trusted server 1102. In step 1204, the server 
processes the integrity metrics data, and verifies that the certified expected 
integrity metrics are currently certified, and compares ft with the expected integrity 

2 0 metrics data received from the smartcard. This is a heavy computational step, for 
which the trusted server is suited to. In step 1205, having compared the integrity 
metrics data with the expected integrity metrics data, the server may then send a 
verification data back to the smartcard via the computer entity. The verification 
data may comprise a digital signature of the server. In step 1206, the smartcard 

2 5 receives the verification data comprising a data signature and either accepts or 

rejects that digital signature as being valid, and therefore the verification data. 

Referring to Fig, 13 herein, there is illustrated schematically process steps 
earned out in a fifth mode of operation of the smartcard and computing entity of 

3 0 Fig, 1 1 , whereby the computing entity delivers the results of a verification of a set 
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of integrity metrics data along with a digital signature, to the smartcard, certifying 
a set of Integrity metrics data which is also supplied to the smartcard. 

Referring to Fig. 13, in step 1300 the smartcard authenticates the taisted 
5 component as described herein above. In step 1301, the smartcard sends a 
request nnessage to the trusted component requesting verification of Integrity 
metrics of the computer platform, and reports back to the smartcard. In step 
1 1 02, the trusted component sends the set of measured integrity metrics of the 
computer platform to a third party (the trusted component either knows which 

10 third party server will be trusted by the smartcard or the smartcard needs to 
specify which third party server should be used), together with a trusted 
components own digital signature, and receives from the third party server the 
result of the verification of these integrity metrics and together with a digital 
signature. This is, as a result of step 1303 of the third party server comparing the 

15 set of integrity metrics received from the trusted component with its own stored 
set or a retrieved set of expected integrity metrics for the type of computer 
platform identified by the trusted component and adding the digital signature in 
step 1304. In step 1305, the tnjsted component, having received the digital 
signature sends the set of integrity metrics, together with the digital signature to 

2 0 the smartcard. 

The above examples of Figs. 11 to 13 Is of operation of the best mode 
implementation, in which the trusted component peri^omns integrity metrics 
monitoring. 



25 



30 



From the perspective of the smartcard, any application which interacts with 
the smartcard. either a graphical user interface, or another application, must be 
aware of the fact that the smartcard may request an interaction with a trusted 
component of a platfomn. In the case where the smartcard will require to interact 
with a third party computing entity the application which interacts with the 
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smartcard must also allow the smartcard to interact with a network server But 
the best nnode implementation, the smartcard should be able to request access 
to integrity verificat'on data of a computer platform independently from the 
application to which it is talking to on a computer entity. 

5 

Upon receiving a request from an application of a computing entity to use a 
functionality of the smartcard, for example to authorize a transaction, the 
smartcard may initiate a request for the monitoring component to supply 
monitoring information on the tmstworthiness of the state of the computer 

10 platfomip Communication between the smartcard and the trusted component is 
by way of a protocol module resident on the computer platform which is 
responsible for communications between the computing entity and the smartcard 
token device. When an application on the PC requires access to the smartcard, 
the protocol stack handles these communications. The computing entity can 

15 therefore filter commands which come from the card and are independent from 
the computing entity application such as checking the integrity of the computer 
platform, and can accommodate commands which come from the smartcard. 
From the point of view of the application, interactions of the smartcard with other 
resources on the computing entity are transparent. This can be done using the 

2 0 technology in "smartcards - from security tokens to intelligent adjuncts", by Boris 
BalachefF, Bruno Van Wilder, and David Chan published in CARDIS 1998 
Proceedings merged with PCSC technology. 

Refening to Fig. 14 herein, there is illustrated schematically an operation to 

2 5 verify the trustworthiness of a computing entity, as viewed from a perspective of 

the smartcard. In step 1400, the smartcard is inserted into the smartcard reader 
and contacts 604 on a smartcard connect with corresponding contacts In the 
smartcard reader. (This can also be done using contactless technology). In step 
1401 the smartcard receives a request from the graphical user interface, via the 

3 0 subsystem 511. to check the tnjstworthiness of the platform. This signal is 
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generated by the graphical user interface in response to keystroke inputs and/or 
pointing device inputs from a user. Alternatively, in step 1402, the smartcanj may 
receive a request for access to functionality generated by an application either 
resident on the local computing entity, or resident on a remote computing entity. 
5 In step 1403, the smartcard initiates a request for communication with a trusted 
component, in response to the signals received from steps 1401 or 1402. In step 
1404. the smartcard then receives integrity metrics data from the trusted 
component (via the subsystem 51 1 in the first implementation, and directly in the 
best mode implementation). In step 1405, the smartcard, having received 
10 integrfty metrics data from the tmsted component needs to check the integrity 
metrics data against the certified integrity metrics data that it would be able to 
trust the platform. The smartcard sends the integrity metrics data to a trusted 
server external of the computing entity. The smartcard sends the integrity metrics 
data back to the subsystem 511. (or the trusted component itself in the best 
15 mode) which then routes the integrity metrics data to an address provided by 
either the trusted component or the smartcard, of a trusted third party server 
The tojsted third party server performs checks with certified expected Integrity 
metrics in step 1406 and generates a result message and digitally signs it. In step 
1407, the trusted server sends the results message and digital signature back to 
2 0 the smartcard via the computing entity, and in step 1408, the smartcard receives 
the resurt message and digital signature data from the tnjsted server. The third 
party sen/er may be a publicly accessible device. The smartcard is able to verify 
the digital signature to authenticate the third party server and can then use the 
result of the verification of the integrity metrics. 



25 



Ideally, the server is bound with the smartcard, for example both the server 
and the smartcard are issued by the same vendor, or body, for example an 
internet service provider. 
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For example, where the smartcard is provided by an internet service 
provider, and the smartcard is unable to authenticate the trustworthiness of a 
computing entity, then the internet service provider may either refuse to 
communicate with the computing entity, or may provide a limited set of 
5 functionalrty, such as those available to the general public, to the computing 
entity, rather than a full set of services available only to registered subscribers. 

Having provided the trusted component, in one specific implementation 
according to the present Invention, the remaining elements of the smartcard and 
10 the application communicating with each other may be provided by a modification 
to the convention applications- In this implementation, a conventional smartcard 
may be used, which is pre-programmed to respond to a poll signal from an 
application to initiate a request to a trusted component to perform integrity metrics 
checks. 

15 

Referring to Fig. 15 herein, there is illustrated schematically elements of a 
possible first generation implementation of a system according to the present 
invention. Fig. 15 shows a logical view of components of first generation 
implementation, A trusted component 1500 comprises a processor and memory 

2 0 physically separated from a computer platform and resident in a trusted logical 
space as herein before described. The computer platform comprises a further 
processor and data storage means and is resident in a computer platform space 
1501, Subsystem 1502 and applications 1503 reside in tiie computer space 
1501. Subsystem 1502 contains an application interface 1503, a verification 

2 5 application 1504, and a smartcard interface 1505. The smartcard interface 
communicates with smartcard reader 1506 which is also in the computer platform 
space 1501, which accepts smartcard 1507. The application interface 1503, 
contains the PCIA stack, 
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Referring to Fig. 16 herein, there is illustrated schematically a method of 
operation of the first generation Implementation of Fig. 15 herein, for smartcard 
1507 Interacting with the trusted component prior to giving a functionality 'X' in 
response to a request for tunctionality 'X' from an applicaton. In this method of 
5 operation, calls to the PCSC stack could be done through the PCI A stack In order 
to provide the PCIA functionality transparently. In the best mode, the PCSC Stack 
would Incorporate the PCIA stack and functionality. In step 1600 the application 
sends the request for functionality "X" to the smartcard via the PCSC stack 
resident in the application interface 1503 in the subsystem 1502. in step 1601, 
10 the PCSC stack sends a command to the smartcard, requesting functionality 'X* 
from smartcard. In step 1602 the smartcard responds v^rlth a request for 
verification of the trustworthiness of the computing entity, which is received by the 
PCSC stack. In step 1603, the PCSC stack receives the request; through PCIA 
functionality the message will be sent to the trusted component. Either by using 
15 the separate PCIA stack or through existing PCIA functionality the message is 
sent to the trusted component to Initiate the integrity checks. This may be sent 
directly from the application interface 1503 to the trusted component 1500. In the 
first specific implementation the verification application 1504 and the subsystem 
1 602 is used by the trusted component to perfonn the integrity metrics checks. In 
2 0 a best mode implementation, the trusted component 1500 contains functionality 
wrthin itself to perform these integrity checks on the computer platform directly. In 
step 1506, the trusted component (in conjunction with the verification application 
In the first implementation all by itself in the best mode) sends the result of the 
integrity verification with a digital signature and certificate data to the smartcard. 
In step 1607 the smartcard receives the result of the integrity verification with the 
digital signature, verifies the digital signature to authenticate the trusted 
component, and if satisfied, H tmsts the result of the verification of integrity. 
Based on this result it then decides whether or not to provide the application with 
functionality "X". The application can then proceed. The smartcard has verified 
the trustwonhiness of the computer platfomi by requesting to perform an integrity 



25 
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challenge on the computing entity's trusted component and only once satisfied 
about the result of this challenge accepts to provide functionality to the 
application. 
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Claims 

1 . A system of computing apparatus comprising: 

5 a computing platfomi having a first data processor and a first data storage 

means: 

a monitoring component having a second data processor and a second 
data storage means, wherein said monitoring component is configured to perform 
10 a plurality of data checks on said computing platform; and 

a token device being physically distinct and separable from said computing 
platform and said monitoring component, 

15 wherein in one mode of operation, said token device operates to make an 

integrity challenge to said monitoring component and said token device will not 
undertake specific actions of which it is capable unless it receives a satisfactory 
response to said integrity challenge. 

2 0 2. The system as claimed in claim 1, wherein said token device 

receives a detailed response to said integrity challenge, and processes said 
integrity response to interpret said integrity response- 
s' The system as claimed in claim 1, further comprising a third party 

2S server, wherein a response to said integrity challenge Is sent to said third party 
server. 



4. The system as claimed in claim 3, wherein said monitoring 
component sends a detailed integrity response to a third party server if requested 
3 0 to do so in said integrity challenge. 
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5. The system as claimed in claim 1, wherein said monitoring 
component reports a detailed integrity response to said token device and said 
token device sends said integrity response to said third party sen/er if it requires 
the third party server to help interpret said detailed integrity response. 

5 

6. The system as claimed in claim 1, in which a third party server 
simplifies said integrity response to a form in which said token device can 
interpret said integrity response. 

10 7. The system as claimed in claim 1. wherein a third party server 

sends a simplified integrity response to said token device. 

8. The system as claimed in claim 1, operating to add a digital 
signature data to said simplified integrity response, said digital signature 

15 authenticating said third party server to said token device. 

9. The system as claimed in claim 1, wherein said monitoring 
component sends a detailed integrity response to said third party sen/er. 

2 0 10. The system as claimed in any one of the above claims. In which 

said token device is requested to take an action. 

1 1 . The system as claimed in any one of the above claims in which 
said token device requests to take an action. 



12. The system as claimed in any one of the above claims in which 
said token device sends image data to said computer platform If a said 
satisfactory response to said integrity challenge is received, and said computer 
platform displays said image data. 



30 
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13. The system as claimed in claim 1, wherein said monitoring 
component is capable of establishing an identity of itsetf. 

14. The system as claimed in claim 1, further comprising an interface 
5 means for interfacing between said monitoring component and said token device. 

15. The system as claimed in claim 1, wherein said computing entity is 
configured such that said monitoring component reports said data checks to said 
token device, said data checks containing data describing a status of said 

10 computer platfomri. 

16. The system as claimed in claim 1, wherein a said specific action 
comprises authorising said computing platform to undertake a transaction on 
behalf of a user of said system. 

15 

17. A system of computing apparatus comprising: 

a computing platform having a first data processor and a first data storage 
means; 

20 

a monitoring component having a second data processor and a second 
data storage means, wherein said monitoring component is configured to perform 
a plurality of data checks on said computing platform; and 

2 5 a token device being physically distinct and separable from said computing 

platform and said monitoring component, 

wherein said token device sends an integrity challenge to said monitoring 
component; 

30 
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said monitoring component generates a response to said integrity 
challenge; 

If said token device receives a satisfactory response to said integrity 
5 challenge, then said token device sends verification data to said computer 
platform, said verification data verifying correct operation of said computer 
platform: and 

said computer platform displays said verification data on a visual display 
10 screen. 

18, A computing entity comprising: 

a computing platform having a first data processor and first data storage 
15 means; 

a monitoring component having a second data processor and second data 
storage means, wherein said monitoring component is configured to perform a 
plurality of data checks on said cx^mputing platform, said monitoring component 
2 0 being capable of establishing an identity of itself. 

interface means for communicating with a token device, said interface 
means communicating with said monitoring component, 

2 5 wherein said computing entity is configured such that said monitoring 

component reports said data checks to said token device, said data checks 
containing data describing a status of said computer platform, 

19. The computing entity as claimed in claim 18, wherein on 

3 0 communication between said token device and said interlace means, said 
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monitoring component Is acth/ated to perfonn a monitoring operation on said 
computer platform, in which said monitoring component obtains data describing 
an operating status of said computer platform. 



20. The computing entity as claimed in claim 18, wherein said interface 
means is resident substantially wholly within said monitoring component. 

21- The computing entity as claimed in claim 18, wherein said interface 
means comprises said computer platform. 

22. The computing entity as claimed in daim 18, wherein said interface 
means comprises a PCSC stack in accordance with PCSC Workgroup PC/SC 
Specification 1.0. 



23. The computing entity as claimed in claim 18, wherein said 
monitoring component comprises a verification means configured to obtain a 
certification data independently certifying said status data, and to provide said 
certification data to said interface means. 



2 0 24, The computing entity as claimed in claim 18, wherein said interface 

means is configured to send and receive data according to a pro-active protocol. 

25. A method of obtaining verification of a state of a computer entity, 
said computer entity comprising a computer platfomn comprising a first data 

2 5 processor and a first memory means, and a monitoring component comprising a 

second data processor and a second memory means, said method comprising 
the steps of: 

receiving an inten^ogation request signal via an interface of said computing 

3 0 entity; 
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said monitoring component performing a monitoring operation of said 
computer platfbnn in response to a said received interrogation request signal; 
and 

5 

said monitoring component reporting a result message to said interface, 
said result message describing a result of said monitoring operation. 

26. A method as claimed In claim 25, in which said monitoring 
1 0 operation comprises the steps of: 




said monitoring component carrying out one or a plurality of data checks on 
components of said computing platform; and 

15 said monitoring component being able to report a set of certified reference 

data together with said data checks. 

27. The method as claimed in claim 25, wherein said certified reference 
data includes a set of metrics to be expected when measuring particular 
2 0 components of said computing platform, and includes digital signature data 
identifying an entity that certifies said reference data. 




28, The method as claimed in claim 25, wherein said step of reporting 
verification of said monitoring operation comprises sending a confirmation signal 

2 5 to a token device said confirmation signal describing a result of said monitoring 
operation. 

29. The method as claimed in claim 25, wherein said result message is 
transmitted by said interface to a token device extemal of said computing entity. 

30 
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30. The method as claimed in claim 25, comprising the step of 
reporting a result of said monitoring operation by generating a visual display of 
confirmation data. 



5 31. The method as claimed in daim 25, further comprising the step of 

adding a digital signature data to said result message, said digital signature data 
identifying said monitoring component; and 

transmitting sard result message and said digital signature data from said 
1 0 interface. 



32. A method of obtaining verification of a state of a computer entity, 
said computer entity comprising a computer platform and a monitoring 
component, said method comprising the steps of: 

15 

an application requesting access to a functionality from a token device: 

In response to said request for access to functionality said token device 
generating a request signal requesting a verification data from said monitoring 
2 0 component; 

in response to said request for verification, said monitoring component 
reporting a result message to said token device, said result message describing a 
result of a monitoring operation; 

25 

by receipt of a satisfactory said result message, said token device offers 
said functionality to said application. 
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33, The method as claimed in claim 32, wherein said monitoring 
component sends a detailed integrity response to a third party server If requested 
in an integrity challenge by said token device. 

34. The method as claimed in claim 32, wherein said monitoring 
component reports a detailed integrity response to said token device, and said 
token device sends said integrity response to a third party server if it requires the 
third party server to help interpret said detailed integrity response. 

35. The method as claimed in claim 32, wherein a third party sers/er 
simplifies said integrity response to a form in which said token device can 
interpret said integrity response. 

36, The method as claimed in claim 32, wherein a third party sersrer 
sends a simplified integrity response to said token device. 

37, The method as claimed in claim 32. further comprising the steps of: 

adding a digital signature data to a simplified integrity response, said digital 
signature data authenticating a third party server to said token device. 

38. A method of checking an integrity of operation of a computing 
entity, said computing entity comprising a computer platform having a first 
processor means and first data storage means, and a monitoring component 
comprising a second processor and second memory means, by means of a token 
device, said token device comprising a third data processor and a third memory 
means, said method comprising the steps of: 

programming said token device to respond to a received poll signal from an 
application program, said poll signal received from said computer platform; 
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said token device receiving a poll signal from said computer platform; 

in response to said received poll signal, said token device generating a 
signal for requesting a verification operation by said monitoring component; and 

said monitoring component perfbmiing a verification operation of said 
computer platform in response to said received signal from said token device. 

39. A token device for verifying a status of a computing entity, said 
token device comprising: 

a data storage device: and 

means for communicating with a computing entity; 

wherein said data storage device is configured to store a status request 
message for requesting a status data from said computing entity. 

40. The token device as claimed in claim 3g. further comprising a data 
processor. 

41. The token device as claimed in claim 39, said device being 
configured to be responsive to a poll signal operating in accordance with PC/SC 
specification 1.0, said token device being capable of initiating a command to be 
handled by a software stack on the computer entity, in response to said poll 
signal according to said poll signal according to a proactive protocol. 
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42. A method of verifying a status of a computing entity, by means of a 
token device provided external of said computing entity, said method comprising 
the steps of: 

said token device receiving a poll signal; 

said token device responding to said poll signal by providing a request for 
obtaining verification of a state of said computer entity; and 

said token device receiving a result message, said result message 
describing the result of said verification. 

43. A method by which a token device can obtain verification of a state 
of a computing platfomn by using a monitoring component, 

said monitoring component being capable of performing at least one data 
check on said computer platform, and establishing an identity of itself , and 
establishing a report of said at least one data check; and 

wherein said token device has data processing capability and behaves in 
an expected manner; 

said token device being physically separable from said computing platform 
and said monitoring component, said token device having cryptographic data 
processing capability 

wherein , said monitoring component proves its identity to said token 
device and establishes a report to said token device of at least one data check 
performed on said computing platform. 
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44. A token device comprising a data processor and a memory device, 
said token device configured to perform at least one data processing or signaling 
function: 

5 wherein said token device operates to: 

receive an integrity check data from an external source; 

If said integrity check data supplied to said token device is satisfactory, then 
10 said token device allows a said function; and 

If said integrity check data received by said token device is unsatisfactory, 
then said token device denies said function. 

15 
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Abgtract 

SMARTCARD USER INTERFACE FOR TRUSTED COMPUTING 
PLATFORM 

5 There is disclosed a trusted computer entity which can be used as a stand- 

alone device,, or as a node in a network of connected computing entities, e.g. as 
an internet port, the computing entity having a trusted monitoring component 
which monitors operation of a computer platfomi, wherein a user Is provided with 
a smartcard trusted token by means of which the user can establish confidence in 
10 the computer platform by means of the smartcard communicating with the trusted 
component and the tmsted component verifying to the smartcard that the 
computer platform Is operating correctly. A user may be issued with a plurality of 
smartcards. and the smartcards may be capable of verifying a level of trust of any 
one of a plurality of computing entities equipped with a tmsted component. 
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